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Step by Step: Extending SAP Access Control 
with SAP Fiori Applications 


Vyacheslav (Slava) Plyushchikov 
Advanced View Computer Technologies 


In This Session 


- Step-by-step process of: 


+ 


+ 


+ 


+ 


+ 


+ 


Planning Fiori apps enhancements 

Deploying Web IDE 

Extending GRC Access Control Fiori apps 
Tracing and debugging Fiori app front end 
Testing and debugging OData calls 

Tips and tricks of deploying extended Fiori apps 


Source: SAP 


What Well Cover SAPinsider 
- GRC Access Control Fiori overview 


- Business scenario for Fiori app extension 
- Implementation: IDE setup 

- Implementation: Fiori extension project 

- Tracing and debugging 

+ Deployment 

- Tips and tricks 

- Wrap-up 


SAP Fiori: Technology 


- Technology is based on HTMLSISAPUI5 
- Fiori app resides in the ABAP repository as BSP application 
- When executed, entire Fiori app is transferred to the HTML5-compatible web browser 


[BSP Application iv 
[GRC_ACREQ_CREO 


(e LS SR | (Ea) 
Object Name 
> (CH GRC ACREQ CREO 
~ CH Page Fragments 
> Ciisn 


SAP GW 


ABAP 
Repository 


> model | 
~ © view | 
* RoleSearch.controller.js 
* RoleSearch.view.xml 
* S2.controller.js 
* S2.view.xml 
* S3.controller.js 
* S3.view.xml 
* S4.controller.js 
* S4.view.xml 
* Welcome.controller.js 
* Welcome.view.xml 


SAP insider 


SAP Fiori: Technology (cont.) 


+ Model-View-Controller (MVC) concept 


+ Separation between data presentation (view), flow logic (controller), and data 
persistence (model) 


+ Better code reuse: change to one component does not affect other components 
Fiori App 


Update Update 
Controllers 


Data binding 


Models 


SAP Fiori: Benefits SAPinsider 


- Supported across multiple platforms, including mobile devices 

+ Any device with HTML5-compatible browser can be used 
- Requires zero footprint on the user device 

+ No application deployment: entire app is loaded to the browser during the call 
- Easy maintenance and support 

+ Update on the server immediately available to all users 
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Source: SAP 


SAP GRC AC Fiori Suite 


- Qut-of-the-box transactional Fiori apps: 


+ Request Access 


+ Request Access for Others 


+ Check Request Status 
+ My Access Approvals 
+ Compliance Approver 


GRC Fiori Apps 


Request Access 


+ 


Request Access for 
Others 


Check Request Status 


My Access Approvals 


Waiting for Approval 


Compliance Approver 


Waiting for Approval 


SAP GRC AC Fiori Suite (cont.) 


- Front-end Component UIGRC001 is deployed on SAP Gateway 
- Back-end OData services delivered in GRCFND_A on SAP GRC Server 


SAP GRC 


GRCFND_A 
GRC Foundation 
Component 


UIGRCOO1 
GRC Fiori UI 


What Well Cover SAP'nsider 


- GRC Access Control Fiori overview 

- Implementation: IDE setup 

- Implementation: Fiori extension project 
- Tracing and debugging 

+ Deployment 

- Tips and tricks 

- Wrap-up 


Business Scenario for Fiori Extension SAPinsider 


- Issue with access request creation: 
+ Company Role Catalog does not fit into out-of-the-box Fiori app functionality 
» Users cannot efficiently select roles 
» Performance issue due to large number of entries returned 


La Large number of 
roles, long wait 


Manufacturing 1590 > 


Order to Cash 2166 > 


Procure to Pay 2238 > 


Business Scenario for Fiori Extension (cont.) SAP side" 


- Standard app allows search only by business process or role keyword 
- Company role catalog is based on employee geographical location and job function 


I Each Business 
Business Process Role Count processes many 
roles. It is difficult to 


find the correct one. 


Gelee 


With additional 
filtering by 
Location and Job, 


Affiliate | Sroles”| | number of roles to 
Argentina 


choose becomes 


7 roles reasonable 


Business Scenario for Fiori Extension (cont.) 


- Solution: Extend “Request Access for Others” app 
+ Add required search fields 
+ Allow “Expert” mode for Super Users 


& GI 


Search Conditions 


Search Ek. SG 


Gi Q Business Support for SCE- 
ae 
Request For Vyacheslav Plyushchikov 2 
BUSINESS SUPPORT FOR Eege 


Home Location: Argentina SCE-GLOBAL 


Functional Area: Business Support Environment: All 


Business Process: 
Supply Chain Execution 


Bus. Process All Vv [| 


BUSINESS SUPPORT-RTR- 
GLOBAL 


Environment: All 


Expert Mode Technical Name: 


BUSINESS SUPPORT FOR SCE-GLOBAL 


Request Role py 


g SAPA Q, 2 Vyacheslav Plyushchikov V 


Now only 11 
roles are 
returned. Easy 
for user to 
choose from. 
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Demo: Extended Fiori App 


Extended Fiori App in Action: Request Access for Other 


What Well Cover 


+ GRC Access Control Fiori overview 

- Business scenario for Fiori app extension 
- Implementation: Fiori extension project 

- Tracing and debugging 

+ Deployment 

- Tips and tricks 

- Wrap-up 


IDE Setup 


- Option 1: Cloud/SAP HCP 
+ SAP Web IDE hosted on SAP HCP 
+ Free trial option and subscription-based option 


- Option 2: Local Web IDE installation 
+ Installed locally on Windows Workstation 
+ Free trial version of Web IDE 1.12 


IDE Setup (cont.) 


- Option 1: Cloud/SAP HCP 
+ Pros 
» No maintenance required, always latest version 
» No license cost (for SAP system connections) 
» Fiori apps can be hosted in the cloud 
» Generates Component-preload.js 


+ Cons 


» Requires SAP HANA Cloud Connector 
» May be slower compared to local installation 


- Register at: https://account.hanatrial.ondemand.com/ 


SAP HANA Cloud Platform 


Web IDE 


SAP HANA Cloud Cockpit 


Destinations 


SAP HANA Cloud Connector 


SAP Gateway 


IDE Setup (cont.) 


- Option 2: Local Web IDE installation 
+ Pros 
» Installed locally on Windows Local 
» Free, no licensing cost 
+ Cons: 
» No updates so far after SAP Web IDE 1.12 


e> C jë https://store.sap.com/sap/cpa/download/20/000001 


i! Apps 27 SuccessFactors: Le: =” SAP Learning Cente (9) Online learn 


SAP Store - Download 


SCN — SAP Web IDE Local Installation 


Click on the link(s) below to start the download. 


e SAP Web IDE Local Installation 


Local Web IDE 


SAP Gateway 


SAP Systems 


Do not use Fiori Toolkit for 
Eclipse, it is deprecated! 
Warning 


What Well Cover SAPinsider 


- GRC Access Control Fiori overview 

- Business scenario for Fiori app extension 
- Implementation: IDE setup 

- Tracing and debugging 

+ Deployment 

- Tips and tricks 

- Wrap-up 


Extending Fiori App 


- Import original Fiori app 


e C Q https://webide-s0012220987trial.dispatcher.hanatrial.ondemand.com/?hc_resd 


Run Deploy 


OS sae (©) Run 


Hi Slava! Welcome to SAP Web IDE 


Current version is 1.19 


What's new in this release 


Create a Project 


Q = 
S+ = 
Quick Start New Project 


with Layout from Template 
Editor 


Import an Application 


SAPUIS ABAP 
Repository 


== 
{gd} 
New Project 


from Sample 
Application 


© 


SAP HANA 
Cloud Platform 


New Extension 
Project 


& 


Clone from Git 
Repository 


Select Application from SAPUI5 ABAP Repository 


System * SAPSYSTEM 


Application à Description 
GRC_ACREQ_CREO 


Access request on behalf of 


GRC_ACREQ_MON 


Check request status 
GRC_AC_COMP_APV Compliance Approval 
GRC_SMT_RPT GRC Smart Reports App 
GRPC_CTRL_PERF GRPC Control Performance 


GRRM_UISBOWTIE Bow-tie 


ILMRWC 


Reporting work center - ILM Cockpit 


Target Folder 


GRC_ACREQ_CREO 


You can see the import progress in the application console. 


Œ G https://webide-s0012220987trial.dispatc 


Run Deploy Search 


View 


Tools 


CD Save (© Run Ka “ES EE 


EP Local 


GRC ACREQ CREO 

i18n 

model 

view 

.project.json 
.Ui5RepositoryBinaryFiles 
.Ui5Repositorylgnore 
.Ui5RepositoryTextFiles 
Component-dbg.js 


mm 


Component-preload-dbg.js 


Component-preload.js 


Component.js 


Configuration-dbg.js 


Configuration.js 


Main-dbg.controller.js 


Gj 


Main.controller.js 


Main.view.xml 


neo-app.json 


version.json 


Help 
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Extending Fiori App (cont.) 


- Create Extension project 


NEW EXTENSION PROJECT 1 Original Application and Name > Next 


1 Original Application and Name 


e 


File Edit Run Deploy Search View Tools Help 
KN 


C Q https://webide-s0012220987trial.dispatchd 


Extension Project” GRC_ACREQ_CREOExtension 


New File 


Translation Folder KORN 


Close XW Project from Template "OO 


Import original application 


Close All XW Project from Sample Application 


Close Others Quick Start with Layout Editor 

Large Small Custom 
Save ÉD Extension Project 100% x 100% 320 x 480 480 x 800 
Save All OS Extension Extension Project ( 


Import > SAPUI5 View 


Export OData Service 


Archive Cloud Connectivity Configuration 


Ie prsivau-uvy yD 


Search ER Ke 
r Request Access 


Git 


1t-preload.js 


Request For Vyacheslav Plyushchikov 


All 155 Welcome! 


Roles by Business Process Welcome 


pee Outline 


Show all elements 


+ Views 
>» Main 
» RoleSearch 


+ pageBusinessProcess 
b subheader 
+ content 
p sap.m:toolbar 
+ bprocList 
MAIN_LIST_ITEM 


To access applications, you search for and select footer 


then you submit a request. 


You may select a role for a specific system. 


Manufacturing BP 


Order to Cash BP 


» S3 

> S4 

» Welcome 

Fragments 
+ Controllers 


| Remove Extension | 


Replace with empty view 


Replace with a copy of the original view 
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Extending Fiori App (cont.) 


- Extend only views and controllers that need to be changed 
- For Business Case we extended: 

+ View S2: adding search filters 

+ Controller S2: fill in search filters 

+ Controller RoleSearch: send filter criteria to GRC 

+ Controller $4: hide extra custom fields 


Outline 


Show all elements v 


~ Views 
> Main 
> RoleSearch 
b S2Custom (Replacement for S2) 
b S3 
» S4 
> Welcome 
Fragments 
+ Controllers 
Main 
S2Custom (Extension for S2) 
S3 


S4Custom (Extension for S4) 


Welcome 
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Extending Fiori App (cont.) 


- Add Needed UI Elements to S2: 


> Sue (inn E £ => 


E Local *S2Custom.view.xml x 


D GRC_ACREQ_CREO 22v <core:Icon activeBackgroundColor="aqua" backgroundColor="" color="white" hoverBackgroundColor="#90008FF" press="initi 
[=] GRC_ACREQ_CREOExtension 23 src="sap-icon://person-placeholder"></core:Icon> Roles by Business Process 
® webapp 24 </content> 
ES localService 25 </Toolbar> 
P view oe 
= N 27- <Toolbar active="false" design="Info"> Q TU 
EI RoleSearchCustom.controller.js 28, TN Search A KU 
El S2Custom.controller.js 29 <Label id="SelectLoc" text="Home Location” textalign="Right" width="90%" ></Label> 


SZLUSIOIT nevv.xmi 30 <Select id="sLoc" width="170px"></Select> x e 
z i 31 </content> = H 
BE Seon akon = Request For Vyacheslav Plyushchikov 
EI Components 32 </Toolbar> x 
E) index.html 33 v <Toolbar active="false" design="Info"> 
i 34 ~ <content> E 
E -project.json 35 <Label id="SelectJob" text="Functional Area” textalign="Right" width="90%"></Label> Home Location 
El neo-app.json 36 <Select id="sJob" width="17@px"></Select> 
37 </content> H 
4 Functional Area 

38 </Toolbar> 
39~ <Toolbar active="false" design="Info"> 
48 + <content> 
41 <Label id="SelectBP" text="Bus. Process" textalign="Right" width="90%"></Label> Bus. Process 
42 <Select id="sBP" width="17@px"></Select> 
43 </content> od 
44 </Toolbar> e Exp ert M e 
EE <Toolbar active="true" design="Info"> Në 
46+ <content id="cont1"> 
47 <Label id="lException" text="Expert Mode” textalign="Right" width="90%"></Label> 
48 <CheckBox id="cException" select="onTOMExceptionChange" selected="false"></CheckBox> 
49 </content> 


</Toolbar> 


<List id="bprocList" items="{/BusinessProcesses}" mode="{device]/listMode}" select="bprocHandleSelect" showNoData="false"> 
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Extending Fiori App (cont. 


- Add logic to controller S2: 


cD Save ei Run EE EE 


F Local S2Custom.view.xml X *S2Custom.controller.js x 


Build custom “Z” OData 


FI GRC ACREQ CREO S = h = d 
57 
© GRC_ACREQ_CREOExtension 58 var mModelLoC = new sap.ui.model.odata.ODataModel("/sap/opu/odata/sap/ZGRC_ACCREQ_CREATE_OTHER_SRV"); ervices wnere require 
ES webapp 59 sap.ui.getCore().setModel(mModelLOC, "data model”): 
Ca localService 60 + var loctemplate = new sap.ui.core.Item({ 
E view 61 key: “(value)”, 
El RoleSearchCustom.controller.js a d text: “(Text)” 
Sones 64 var sloc = this.byId("sLoc"); 
E) S2Custom.view.xml 65 sloc.setModel(sap.ui.getCore().getModel("data_model")); 
El S4Custom.controller.js 66 ~ sloc.bindAggregation("items", { 
EI Component.s 67 path: "/ZLOC", 
El index.html 68 length: 300, 
EI .projectjson 69 template: loctemplate 
sl neo-app.json 79 LE 
71 
72 var mModelJOB = new sap.ui.model.odata.ODataModel("/sap/opu/odata/sap/ZGRC_ACCREQ CREATE OTHER SRV'): 
73 sap.ui.getCore().setModel(mModelJOB, "jdata_model"); 
74 var sjob = this.byId("sJob"); 
75 sjob.setModel(sap.ui.getCore().getModel("jdata_model")); 
76 v sjob.bindAggregation("items", { 
77 path: “/ZJ0B", 
78 length: 20, 
S Serie Lëtze ... or reuse standard OData 
80 D: ñ 
a Services 
82 var mModelBP = new sap.ui.model.odata.ODataModel("/sap/opu/odata/sap/GRC_ACCREQ_CREATE_OTHER") ; 
83 sap.ui.getCore().setModel(mModelBP, "jdata_model") ; 
84 ~ var bptemplate = new sap.ui.core.Item({ 
85 key: "{BusinessProcessID}", 
86 text: "{Description}" 


87 }); 
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Extending OData Services 


- Transaction SEGW 
+ Copy original OData Service and extend the copy 


A 


~ Dä. zGRC_ACCREQ CREATE OTHER 


> GRC CREATE OTHER E 
Që. ZS i > C Data Model Method | ZLOC_GET_ENTITYSET Active 
a ~ © Service Implementation i 
» OU BusinessProcesses call function 'DD DOMVALUES GET' 
» on Configurations exporting 
> D CustomFieldMetadataSet domname = 'Z USR LOCGRP' 
» on CustomFieldValueSet text = Ix 
» HU RequestAccessSet langu = sy-langu 
+ oo inessProcesses » OO RequestCustomFields tables 
oo BER “i > OU RequestReasons ddo7v tab it ddo7 
: Configurations > DO Requests exceptions 
* © CustomFieldMetadataSet > © RoleActions wrong textflag = 1 
“ © CustomFieldValueSet » = RoleDetais SSES =z. 
> € Roles 
s EU estA ssSe: 
Requ dn t > on UserDetails loop at lt ddo7 into ls ddo7. 
* OU RequestCustomFields » «y 
sers 
* EU RequestReasons > DO WelcomeMessageSet La entityset-custom fieldname = 1s_dd07-domvalue | 
e ED ests > OO zcfi lis entityset-value = ls dd07-domvalue 1. 
Requ ls entit set-text 1s dd07-ddtext kë 
+ =U RoleActions — “7: SC e ! 
= Create 
* 1 RoleDetails + Së Delete append La entityset to lt entityset. 
* EU Roles : à etEntity (Read endloop. 
. oo UserDetails H GetEntitySet (Query) 
“ Y odate 
“ GO Users ~ DU ZLOC sort 1t_entityset. 
“ CD WelcomeMessageSet + Së Create EE AUTRES apie from 1t_entityset. 
- D zcfi + Së Delete et_entityset[] = 1t entitysetil. 
ti e 
+ EU 21 O 


23 


Extending OData Services (cont.) 


- Transaction /IWFND/MAINT_ SERVICE 
+ Register OData service, maintain ICF node and system alias 


| Expert Mode 
) 


Roles by Business Process 


Search Q, L 


Request For Vyacheslav Plyushchikov 


Functional Area | 


<not selected> 
Bus. Process 
Algeria 
Argentina 
Australia 
Austria 
Brazil 
Canada 


Chile 


USA 


What Well Cover SAP'nsider 


- GRC Access Control Fiori overview 

- Business scenario for Fiori app extension 
- Implementation: IDE setup 

- Implementation: Fiori extension project 

- Deployment 

- Tips and tricks 

- Wrap-up 
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Debugging in Web Browser 


- Chrome is recommended for 


HTML5/Fiori development 


e 


C Q https://webidetesting5797500-s0012220987trial.dispatcher.hanatrial.ondemand.... 5.7 


"|EV 


Roles by Business Process 


Search 


Functional Area 


Brazil 


Logistics 


a 


Request For Vyacheslav Plyushchikov A 


Home Location 


New Tab EA 
New Window 3€N 
New Incognito Window QEN 
History > 
Downloads MECH 
a Bookmarks > 
Request Acc Zoom ms |+] Lo Start developer 
i Print... 36P s 
a Page As... #S GE tools In the 


Add to Applications... 


Edit 


browser 


Clear Browsing Data... 08A 

Extensions Settings 
Task Manager Help 
Encoding > Ss 


Developer Tools 


E ~ CA hittps://webidetesting5797500-s0012220987trial.dispatcher.hanatrial.ondemand.com/test-resources/sap/ushell/shells/sandbox/fioriSandbox.html?hc_orionpath=%2Fs0012220987trial%... ye, ® 


a 


SAPA 2” 


Roles by Business Process 


Request For Vyacheslav Plyushchikov 


Home Location 


Functional div#_ xm] 3 


apMBarcChild. sapMSlt. sapMSltDefault.sapMSltHover... 


Bus. Proc ES 


No data 


R 


D 


Elements 


Console 


Sources 


Network Timeline 


Inspect Ul elements 


Automatic highlight 


Access to properties 


Audits 012 43| : xX 


Resources 


weep Cerne wage 


Profiles 


“sapMBarChild sapMLabel sapMLabelTBHeader 
sapUiSelectable sapMTBShrinkItem'>Home 
Location</label> 
v <div id=""__xmlview3--sLoc" data-sap-uis 
"_xmlview3--sLoc" style="width: 170px;max— 
width: 100%" class="sapMBarChild sapMSlt 
sapMSl\tDefault sapMSltHoverable 
sapMSltivithërrov'' role="combobox" aria- 
expanded=" false" aria-lives'polite' aria- 
labelledby="__xmlview3--sLoc-label" 
tabindex="0"> 
<label id="__xmlview3--sLoc-label" for= 
"_xmlview3--sLoc" class= 
“sapMSltLabel''-snot selected></label> 
><span class="sapMSltArrow" id= 
"_xmlview3--sLoc-arrow'>.</span> 


Styles Computed Event Listeners Properties » 
Vv div#__xmlview3--SLOc. sapmbarthild. sapms Lt. Sap... 
accessKey: "" 
align: "" 
> attributes: NamedNodeMap 
baseURI: "https://webidetesting5797500-s001.. 
childElementCount: 2 
> childNodes: NodeList [2] 
> children: HTMLCollection [2] 
> classList: DOMTokenList [5] 
className: "sapMBarChild sapMSlt sapMS1tDef... 
clientHeight: 38 
clientLeft: 1 
clientTop: 1 
clientWidth: 168 


</div> contentEditable: "inherit" 
</div> > dataset: DOMStringMap 
><div id="__toolbar2" data-sap-ui= dir: mu 


“_toolbar2" data-sap-ui-fastnavgroup="true" 
role="toolbar" classs''sapMIBar sapMTB 
sapMTB-Info-CTX sapMTBInactive 

sapMTBNewF lex''>...</div> 


draggable: false 
> firstChild: label#_xmlview3--sLoc-label.sap 
> firstElementChild: label#__xmlview3--sLoc-la 


><div id="__toolbar3" data-sap-ui- Ta e 
too bars data Sap ul Tastnavgroup= SS innerHTML: "<label id="_xmlview3--sLoc-lab.. 


teur tee ass=" sSapMIBar sapMTB 
sapMTB-Info-CTX sapMTBInactive 
sapMTBNewF lex"'>...</div> 


innerText: "<not selected>" 
isContentEditable: false 
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Debugging in Web Browser (cont.) 


Debug, set breakpoints, 
view variables, control 
execution flow 


R D Elements Console Sources 


Sources Content scripts Snippets 
v © webidetesting5797500-s001222 
>| J orion/file/s0012220987trial$$ 
> (J resources/sap 
Yl_Itest-resources/sap/ushell/she 
=| fioriSandbox.html?hc_orionp 

Vv |_| webapp/view 
E S2Custom.controller.js 

> © (no domain) 


Inspect source code 


Profiles 


(I S2Custom.controller.js x PI 
635 


639 
Ki 
642 
643 
644 
645 
646 
647 
648 
649 
650 
651 
652 
653 
654 
655 
656 


657) 


658 
659 
660 
661 
662 
663 
664 
665 
666 
667 
668 
669 
670 
671 
672 
673 
674 
675 
676 
677 
f78 


Aa 
{} 


}, 


if (this.byId("sJob").getSelectedKey() === "ail { 
sap.m.MessageBox. show('Please select your Functional Area', sap. 
return; 


this.byld(''sLoc'').setVisible( false): 
this.byld(''SelectLoc''). setText('Home Location: " + this.byId("sLoc") 
this.byld(''sJob'').setVisible( false): 
this.byId("SelectJob").setText("Functional Area: " + this.byId("sJob 


var zLocJobm = this.oApplicationFacade.getApplicationModel("zLocJob" 
if (zLocJobm) { 
zLocJobm.setProperty("/loc", this.byId("sLoc").getSelectedKey 
zLocJobm.setProperty("/job", this.byId("sJob").getSelectedKey 
zLocJobm.setProperty("/bp", this. byId("sBP"). getselecredkey() 
zLocJobm. setProperty( dote se this.byld("cExceptions 
this. oApplicationFacade DOIT TC GC obt, zLocJobm) 


0) 
0) 
); 


} 
//this.getView().byId('searchfield').setValue("x") ; 


// grc ext end 
this.oRouter.navTo("roleSearch", { 
searchFilter: this.searchFilter, 
roleSearchPageTitle: this.roleSearchPageTitle 
H; 


bprocHandleSelect: function(e) { 


[Find av 


var i = e.getParameter("listItem"); 
this.bprocId = i.getTitle(); 
this. roleSearchPageTitle = this.getResBundle().getText("ROLES", [i.g 
var c = i.getBindingContext(); 
this.selectedBusinessProcess = c.getModel().getProperty(c.getPath() 
this.searchFilter = this.getView().byId('searchfield').getValue(); 
this.oRouter.navTo("roleSearchBz", { 
bprocId: this.bprocid, 
selectedBusinessProcess: this.selectedBusinessProcess, 
roleSearchPaneTitle: this. raleSearchPaneTitle 


-| Replace 


1 characters selected 


_orionpath=%... vej ® 
612 A3 : x 


Ka + TI OO "Ae 
> Watch + È 
v Call Stack 


S2Custom.controller.js:636 
sap.ui.controller.applyBackendSe 
archPattern 


MasterHeaderFooterHelper.js:4 
sap.ui.base.Object.extend.refreshLi 
st 


MasterHeaderFooterHelper.js:4 
sap.ui.base.Object.extend.handleM 
asterSearch 

MasterHeaderFooterHelper.js:4 
(anonymous function) 


era 


v Local 
Pb: L.extend.constructor 
éi gt 
>this: f 
zLocJobm: undefined 
Global Window 


v ERT 


> DOM E 

> XHR Breakpoints GP 
> Event Listener Breakpoints 

» Event Listeners G 
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Tracing OData Calls 


- User SAP Gateway tools 


+ /IWFND/ERROR_LOG 
» Gateway error log: records errors for calls to SAP GW 


+ /IWFND/TRACES 
» Gateway call traces: performance and payload traces 


+ JIWFND/GW_CLIENT 
» SAP Gateway Client: analyze and repeat calls 
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Gateway Error Log 


- First log to check if calls are failing 


le ErrorLog Edit Goto System Help 


— Review error log 
@ | "4H CaA BAR on SI OR 


SAP Gateway: Error Log 
H [E Re-Select 


(PIB) A e) a error context |[By active Source ES Download to PC JÉSupload from ec] summarize Logs | 


Overview 


E Line Entr. Date 7 Time 7 T100 Error ID TIO.. Error... ICF Node B| Error Text 
| 3 1 [12.01.2016 | 17:49:44 /IWFND/MED170 D 1 
| 


[— No service found for namespace , name ERC ACCREQ CREATE. OTHER SRV, version C Ana lyze th e cal I, 
2 1 17:49:27 /IWBEP/CM_MGW_RT021 D 1 odata [J Method 'BUSINESSPROCESSE_GET_ENTITYSET' not implemented in data providecales 3 E 
[| 1 1 17:49:01 /IWFND/CM_CONSUMER122 D 1 odata [Invalid system query options value s repl ay if req u ired 
4» 
Error Context 
Ex Name Value 
FE) .ERROR_CONTEXT 
ERROR. INFO No service found for namespace , name GRC ACCREQ CREATE OTHER. SRV, version 0001 
PS) ..ERROR_RESOLUTION 


BAR NOTE 
LINK TO. GAR NOTE 


KZ Inserm jee 


See SAP Note 1797736 for error analysis z 
https://service.sap.com/sap/support/notes/1797736 


mrna nmi nan 


29 


Gateway Traces 


- Analyze OData calls 
- Review performance trace 
- Replay calls to troubleshoot/debug issues 


SAP Gateway: Tracing Tools 


©) D o Z Error Log 


* © Users & Request URI Prefix 


+ CI TST-GRC-USR2 


- Configuration Performance Trace 


(cj 


de: 


[E Service Cal Info 


/sap/ZGRC. ACCREO CREATE | OTHER Ey 
/sap/ZGRC_ACCREQ_CREATE_OTHER_SRV/BusinessProcesses _ 
/sap/ZGRC_ACCREQ_CREATE_OTHER_SRV/BusinessProcesses ` 
/sap/ZGRC_ACCREQ_CREATE_OTHER_SRV/BusinessProcesses . 
| /sap/GRC_ACCREQ_CREATE_OTHER/BusinessProcesses?$skip .. 

| /sap/ZGRC_ACCREQ_CREATE_OTHER_SRV/BusinessProcesses _ 


/sap/GRC_ACCREQ_CREATE_OTHER/Users?$fitter=UserID%20 ` 


/sap/GRC ACCREQ CREATE OTHER/WelcomeMessageSet?$e 


res eg Client 100 User TST-GRC-USR2 


Method Proc. Time Appl. Time Reg. Size Resp. Size Format Date 


skip, |GET 


GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 


350 
131 
132 
146 
149 
364 
172 
182 
134 


281 


oo oo co OO OO OH 


4.490 


json 
txt 
txt 
xml 
txt 
json 


16.01.2016 
16.01.2016 
16.01.2016 
16.01.2016 
16.01.2016 
16.01.2016 
16.01.2016 
16.01.2016 
16.01.2016 


| Time 


12:04:18 
12:04:18 
12:04:18 
12:04:17 
12:04:17 
12:04:17 
12:04:17 
12:04:06 
12:04:01 


| Expiry Date | Statu: 


30.01.2016 
30.01.2016 
30.01.2016 
30.01.2016 
30.01.2016 
30.01.2016 
30.01.2016 
30.01.2016 
30.01.2016 


H R HH R HR 


CA 
O 


Gateway Client 


- Retrieve OData services metadata 
- Execute OData calls, review responses, troubleshoot issues 


Le” SAP Gateway Client Edit Goto Metadata System Help boy 


@ | v4B eee CHR 2009 SI ep 


| © Dexecute => Gselect [Maintain Service Service Implementation  €{EntitySets $% Add URI Option 


HTTP Method  (@)GET = (POST ()PUT (PATCH ()MERGE ()DELETE [Reuse HTTP Connection (e.g. for Soft State) 
Request URI___|/sap/opu/odata/sap/GRC_ACCREQ_CREATE_OTHER/?$format=xmi Ee || Muttipie Rows | 
Protocol @HTTP OHTTPS Test Group Test Case 


EEN III (Br response in Browser ËR Error Log IK HTTP Header Dies as Request Jër Data Explorer JËS) 
HTTP Request 


«|» ia TIP 


- <app:workspace> 
<atom:title type="text">Data</atom:title> 
- <app:collection sap:content-version="1" href="CustomFieldMetadataSet'> 
<atom:title type="text" >CustomFieldMetadataSet</ atom: title> 
<sap:member- title>CustomFieldMetadata </sap:member- title > 
</app:collection> 
- <app:collection sap:content-version="1" href="Requests"> = 
<atom:title type="text">Requests</atom:title> 
<sap:member- title>Request</sap:member- title > 
</app:collection> 
- <app:collection sap:content-version="1" href="RequestAccessSet'"> a 
<atom:title type="text" >RequestAccessSet</atom:title> + 


31 


What Well Cover 


+ GRC Access Control Fiori overview 

- Business scenario for Fiori app extension 
- Implementation: IDE setup 

- Implementation: Fiori extension project 

- Tracing and debugging 

- Tips and tricks 

- Wrap-up 
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Deploying Fiori App 


- Deploy app code to ABAP system 
+ Direct Deployment to SAPUI5 ABAP Repository 
+ Export/Import to SAPUI5 ABAP Repository 


- Give users access to Fiori app 
+ Navigation Design 
+ User Permissions 


SAP GW 


ABAP 
Repository 
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Direct Deployment to ABAP Repository 


- Direct Deployment to SAPUI5 ABAP Repository 


€ 


C' A https://webide-s0012220987trial.dispatcher.hanatrial.ondemand.com/?hc_reset 


DEPLOY TO SAPUI5 ABAP REPOSITORY 1 Deployment Options > 2 Deploy a New Application > Next 


1 Deployment Options 
DEPLOY TO SAPUI5 ABAP REPOSITORY 1 Deployment Options > 2 Deploy a New Application > Next 
nl Soe 2 Deploy a New Application 
e Deploy a new application 
Update an existing application 
Name * KGRC ACREQ CREO 
Description * 


ZGRC ACREQ CREO 


Package * ZGRAC | Browse | MM 


e Create a new request 


Request Description 


New Fiori app 


The Request ID is automatically generated 


Export/Import to ABAP Repository 


- Export from HCP 


+ Import via /UI5/UI5 REPOSITORY LOAD report 


€ CC https://webide-s0012220987 


Search View 


ce > 


Edit Run Deploy 


es Save (©) Run 
Local 
GRC_ACREQ_CREO 
GRC ACREQ 


webapp Import > 
I view Archive 
H Role Cut ak X 


& 
M 
[ 
Ÿ 


Name 


lë GRC_ACREQ_CREOExtension.zip 


lë Program Edit Goto System Help 


g -4E 06e BHE S08S HA ep 
SAPUI5 Repository Load: Load SAPUI5 App from and to Local File System 
CA: 


| Up- and Download your SAPUIS Application 


Use this report to upload a SAPUIS application to the SAPUIS ABAP Repository. 
Use it to download a SAPUIS application to the local file system. 
Use it to delete an existing SAPUIS application from the repository. 


Name of SAPUIS Application ZGRC_ACREQ CREO 


(©) Upload 
` "Download 
Delete 


[Adjust Line Endings on Upload 


* Specify SAPUIS Application Name * 
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Provide Access to Fiori App 


- Define Semantic Object /UI2/SEMOBJ 
- Define app alias in LPD CUST 


New Entries: Overview of Added Entries 
2 B 


_ Change Launchpad - Role: UIGRCOO1 Instance: TRANSACTIONAL (EN) 
C) New Folder [New Application Add Separator Delete Ù Copy from Other Launchpad Link to a Repository Application 


SE MJE: Log | 
Customized Version | A... | | Link Text "Z Request access for other 
* I GRC: Transactional Apps {Folder | Description 
+ B Inactive Applications Folder 
+ [E] Check Request Status URL ee 
R g Request access URL | Application Type — | 
+ & Access Request URL | Application Type URL MM 
EI Analyze Risks Web | | 
eae oa Web! ` Application Parameter —) 
. Analyze Users Web | f SH 
o g een Roles Web I URL /sap/bc/uiS_uiS/sap/zgrc_acreq_creo w) 
+ & Analyze Risks Web| —— = = = — 
+ [©] Approve Access Request URL | System | 
+ & smart Reports URL | | system Alas 
+ [E] Request access for others URL | Sg A 
+ [©] complaince approver [URL | = ne crabe ah 
| | Advanced Parameters (Optional) | 
` | Application - Deactivation by User | 
Application Cannot be Removed from Launchpad II 
| Application-Related Parameters = 
Application Alias IZACCESSREQUESTO E 
Target App. Parameters ` Bi 8 
Suspend/Resume "D 
Proxy Class 
Additional Information ISAPUIS.Component-fcg.grc.acreq.creat... 
FPM Event ID | | 
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Provide Access to Fiori App (cont.) 


- Define Catalogs and Groups 


+ /sap/bc/uid_ui5/sap/arsrvc_upb_admn/main.htm 
- Create tiles, target mappings, add tiles to groups 


HH Catalogs = Groups Employee (GRC) # Client: 100 ej 
Catalog Collection 


Q: X-SAP-UI2-CATALOGPA 


3 
Drag to add E CH 
SS 


Search for catalogs 


Search for tiles Q 


i Check Request Status i Request Acts E 
i Displays static text and... ! ` Displays static text Sen, ` 
Employee (GRC) Ë të 
SAP_GRC_BC_Employee 


SAP_GRC_BC_Compliance 49 Ze D) + 
SAP_GRC_BC_Compliance ' i 


[information] 

SAP: KPI Modeler (remote) ee EE EE 
IUI2/SAP_KPIMOD_TC_R Request Access 2 

Displays static text and 


© 


Make sure you 
assign transport 
request before 
configuration 


Assign Transport Request 


None (Local Object) 


*Customizing Request 


EGQK900010 v 


Add Catalogs, 
Groups as 
needed 
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Provide Access to Fiori App (cont.) SAPinsider 


- Define PFCG roles for Fiori Launchpad 
+ Define access to catalogs, groups, OData services, required Fiori Launchpad services 


s CH Role Menu 


1 RSTR IWSG ZPAGE_BUILDER_PERS_0001 —— | SAP Ul authorization items 
+) Th R3TR IWSG ZINTEROP 0001 
dn R3TR IWSV /UI2/INTEROP 0001 


| Sh R3TR IWSV /UI2/LAUNCHPAD 0001 

pj Kul R3TR IWSV /UI2/PAGE_BUILDER_PERS 0001 

El R3TR IWSV GRC_ACCREQ CREATE OTHER 0001 
«| Th R3TR IWSG GRC_ACCESSREQUEST_CREATE_SRV_0001 
x Ar deg IWSG GRC Sea OTHER, 0001 


z E Extended Fiori SS eae SHE g 
À [EE Extended Fiori Apps Catalog — | Fiori Launchpad items 


—— | Fiori app items 
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Provide Access to Fiori App (cont.) 


- Assign new role to users 
- User can see new tile in Fiori Launchpad 


SARA 


Roles by Business Process 


Extended Fiori Apps Group 


SAP Access Request Request For Vyacheslav Plyushchikov 
Extended Fiori Application 


Request Access 


Home Location <not selected> 
Welcome! 

Functional Area <not selected> To access applications, you search for and select roles, then you 
submit a request. 

Bus. Process You may select a role for a specific system. 


Expert Mode 


No data 


Demo: Modifying and Deploying Fiori App 


SAP Web IDE in Action 
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What Well Cover 


+ GRC Access Control Fiori overview 

- Business scenario for Fiori app extension 
- Implementation: IDE setup 

- Implementation: Fiori extension project 

- Tracing and debugging 

+ Deployment 


- Tips and tricks 


- Wrap-up 
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Single Sign-On 


Most common solution is based on SAML2 
+ Uses HTTPS ports 


+ Supports identity federation 


Internet 


SAP_GWFND 
SAP Gateway 
Component 


UIGRCOO1 
Fiori UI 


SAP GVV 


Q Internal User 
Fiori 


Intranet 


GRCFND_A 
GRC Foundation 
Component 


SAP GRC 
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Branding 


- Theme Designer 
+ /uid/theme_designer 


+ Copy existing theme to a new name and customize 


Expert 
Filters: Gë I A Q A View Options: ® 
O 
Theme Parameter Value 
sapBackaroundColor #f2f2f2 


sapBackgroundGradientBas... rgba(18,19,114,0.71) 


sapBackgroundimage suploaded image> 
sapBackgroundimageOpacity 1.0 
sapBackgroundimageRepeat true 
sapBaseColor #2D8EB5 
sapBrandColor #009de0 


sapBution Accept Background @sapPositiveElementColor 


sapButton_Background Grott D 
sapButton_BorderColor darken(@sapButton_Backar | | 
sapButton_BorderCornerRadius 0 DÉI 


e Dn ken em Dn nË si Alken 


Extended Fiori Apps Group 


SAP Access Request 
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What Well Cover 


+ GRC Access Control Fiori overview 

- Business scenario for Fiori app extension 
- Implementation: IDE setup 

- Implementation: Fiori extension project 

- Tracing and debugging 

+ Deployment 

- Tips and tricks 


44 


Where to Find More Information SAPinsicer 


- http://help.sap.com/grc-ac#section6 
+ GRC Access Control: SAP Fiori apps documentation on the SAP Help Portal 
- https://account.hanatrial.ondemand.com 
+ SAP HANA Cloud Platform: registration, access to management cockpit 
- https://sapuid.hana.ondemand.com 
+ SAP Ul Development Toolkit: SAPUI5/Fiori development 
- http://help.sap.com/nwgateway#section7 
+ SAP Gateway 2.0: SAP GW/OData services development on the SAP Help Portal 
- httpilladvanced-vievv.com 
+ Vyacheslav Plyushchikov’s blogs on GRC Access Control and Fiori apps 
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7 Key Points to Take Home SAPinsider 


- SAP Fiori apps for GRC AC can easily be extended 
- SAP provides free HCP-based IDE for developing and extending Fiori apps 


- Use design thinking approach: start from “better future” goal, not from analyzing current 
problems 


- Reuse as much as possible, change only app parts, where new functionality is needed 


- Keep the app “lightweight” to load faster on mobile devices, no big images or large data 
pre-loads 


- Build Fiori apps for access from the Internet: secure it with HTTPS, web filters, identity 
federation authentication 


- Use trace and debug tools for front-end and back-end issue resolution 
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Your Turn! 


How to contact me: 


Vyacheslav (Slava) Plyushchikov 
slava.plyushchikov@gmail.com 


Questions? 


Please remember to complete your session evaluation 
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Disclaimer 


SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other 
countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE. 
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